mirror of
https://github.com/keycloak/keycloak.git
synced 2026-01-25 16:42:34 +00:00
Do not verify nonce in access and refresh tokens (only id tokens) (#26891)
Closes #26651 Signed-off-by: Grzegorz Grzybek <gr.grzybek@gmail.com>
This commit is contained in:
@@ -802,10 +802,7 @@ function Keycloak (config) {
|
||||
|
||||
setToken(accessToken, refreshToken, idToken, timeLocal);
|
||||
|
||||
if (useNonce && ((kc.tokenParsed && kc.tokenParsed.nonce != oauth.storedNonce) ||
|
||||
(kc.refreshTokenParsed && kc.refreshTokenParsed.nonce != oauth.storedNonce) ||
|
||||
(kc.idTokenParsed && kc.idTokenParsed.nonce != oauth.storedNonce))) {
|
||||
|
||||
if (useNonce && (kc.idTokenParsed && kc.idTokenParsed.nonce != oauth.storedNonce)) {
|
||||
logInfo('[KEYCLOAK] Invalid nonce, clearing token');
|
||||
kc.clearToken();
|
||||
promise && promise.setError();
|
||||
|
||||
Reference in New Issue
Block a user